Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
30-06-2024 18:03
General
-
Target
circinfo (1).exe
-
Size
3.1MB
-
MD5
2763babfb8b326e2d65a72df26addb5a
-
SHA1
a1149202d460f732f18b54169623fd58ba2fc43e
-
SHA256
070e3261185784ceb8344c68850dab238d23dfe9935667e28ccc329a21105dfb
-
SHA512
3304f94d612bc71ac592f22be081b861aa7339e979cbf700391f9687d452b4ddfb79de03f78dc280fe7d60cb960457be45da5bc62d5c48405d0450907c3eeb49
-
SSDEEP
49152:vvRG42pda6D+/PjlLOlg6yQipVNxQEC3pk/JxyoGdgfUTHHB72eh2NT:vvg42pda6D+/PjlLOlZyQipVNxpY
Malware Config
Extracted
quasar
1.4.1
MotherFucker
registration-suspected.gl.at.ply.gg:60152
127.0.0.1:240
7e923a0e-cb03-48fc-87a3-d5d222b55fa8
-
encryption_key
43F51C3DD1637A1DF460F58619C015C31CCF137E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\circinfo (1).exe"C:\Users\Admin\AppData\Local\Temp\circinfo (1).exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MDJCpeJ49VjT.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MDJCpeJ49VjT.batFilesize
213B
MD559e1bc621da4bc301d49ee3d661c4bd4
SHA1aef1b43e9e9ef9c3fe7ee6f8adf40e8bd4f33bc0
SHA256335e3d5c21c07e27e261aa0730560081e222cb05d603e1b223c19d0788c58bc1
SHA512eaf241713558de3fb55eaba533961781a5d1805b4b4b1760dfbe511be1e458be0d9ff7689cc01aa7922ee2dc01ebcb87f4163e5264517dad8b92d7fc8f18d034
-
memory/1844-0-0x00007FF994853000-0x00007FF994855000-memory.dmpFilesize
8KB
-
memory/1844-1-0x0000000000250000-0x0000000000574000-memory.dmpFilesize
3.1MB
-
memory/1844-2-0x00007FF994850000-0x00007FF995312000-memory.dmpFilesize
10.8MB
-
memory/1844-3-0x000000001B9A0000-0x000000001B9F0000-memory.dmpFilesize
320KB
-
memory/1844-4-0x000000001BAB0000-0x000000001BB62000-memory.dmpFilesize
712KB
-
memory/1844-7-0x000000001B9F0000-0x000000001BA02000-memory.dmpFilesize
72KB
-
memory/1844-8-0x000000001BA50000-0x000000001BA8C000-memory.dmpFilesize
240KB
-
memory/1844-9-0x00007FF994853000-0x00007FF994855000-memory.dmpFilesize
8KB
-
memory/1844-10-0x00007FF994850000-0x00007FF995312000-memory.dmpFilesize
10.8MB
-
memory/1844-15-0x00007FF994850000-0x00007FF995312000-memory.dmpFilesize
10.8MB